Q45 — AWS SAA-C03 第3章

第 45/65 题 | ← 返回第3章

Q175.一家公司最近在其 AWS 账户中的 Amazon EC2 实例上推出了各种新的工作负载.公司需要制定战略来远程安全地访问和管理实例公司需要实施可重复的流程,该流程可与本地 AWS 服务配合使用并遵循 AWS Well-Architected Framework.哪种解决方案能够以最少的运营开销满足这些要求?

正确答案: B. 将适当的 IAM 角色附加到每个现有实例和新实例.使用 AWS Systems Manager 会话管理器建立远程 SSH 会话.

解析

To access and administer Amazon EC2 instances remotely and securely following the AWS Well-Architected Framework, a solutions architect should attach the appropriate IAM role to each existing instance and new instance and then use AWS Systems Manager Session Manager to establish a remote SSH session. Therefore, option B is the correct answer.Option A suggests using the EC2 serial console to directly access the terminal interface of each instance for administration. While this approach could work, it is not scalable and requires physical access to the underlying infrastructure.Option C suggests creating an administrative SSH key pair, loading the public key into each EC2 instance, and deploying a bastion host in a public subnet to provide a tunnel for administration of each instance. While this approach could work, it requires more configuration management compared to using AWS Systems Manager Session Manager.Option D suggests establishing an AWS Site-to-Site VPN connection and instructing administrators to use their local on-premises machines to connect directly to the instances by using SSH keys across the VPN tunnel. While this approach could work, it may not be as secure as using AWS Systems Manager Session Manager and requires more manual configuration.Using AWS Systems Manager Session Manager provides a secure and scalable solution for accessing and administering Amazon EC2 instances without requiring inbound SSH ports or VPN connections. By attaching the appropriate IAM role to each instance, administrators can use the AWS Management Console or the AWS CLI to establish a remote SSH session through the Session Manager. This approach follows the AWS Well-Architected Framework and provides a repeatable process that works with native AWS services while minimizing operational overhead.要按照AWS良好架构框架远程安全地访问和管理Amazon EC2实例,解决方案架构师应该为每个现有实例和新实例附加适当的IAM角色,然后使用AWS Systems Manager Session Manager建立远程SSH会话。因此,选项B是正确答案。选项A建议使用EC2串行控制台直接访问每个实例的终端接口进行管理。虽然这种方法可以工作,但它是不可伸缩的,并且需要对底层基础设施进行物理访问。选项C建议创建一个管理SSH密钥对,将公钥加载到每个EC2实例中,并在公共子网中部署一个堡垒主机,以便为每个实例的管理提供通道。虽然这种方法可以工作,但与使用AWS Systems Manager Session Manager相比,它需要更多的配置管理。选项D建议建立一个AWS站点到站点VPN连接,并指导管理员使用本地本地机器通过VPN隧道使用SSH密钥直接连接到实例。虽然这种方法可以工作,但它可能不如使用AWS Systems Manager Session Manager安全,并且需要更多的手动配置。使用AWS Systems Manager Session Manager为访问和管理Amazon EC2实例提供了一个安全且可扩展的解决方案,而不需要入站SSH端口或VPN连接。通过为每个实例附加适当的IAM角色,管理员可以使用AWS管理控制台或AWS CLI通过会话管理器建立远程SSH会话。此方法遵循AWS良好架构框架,并提供可与本机AWS服务一起工作的可重复流程,同时最大限度地减少操作开销。